Systems and methods for detecting malware
Abstract
The disclosed computer-implemented method for detecting malware may include (1) identifying a plurality of programs represented in machine code, (2) deriving a plurality of opcode n-grams from opcode sequences within the plurality of programs, (3) training an autoencoder by using the plurality of opcode n-grams as input, (4) discovering a set of features within the autoencoder after training the autoencoder, each feature within the set of features comprising a linear combination of opcode n-grams from the plurality of opcode n-grams, and (5) classifying a potentially malicious program as malicious by using the set of features discovered within the autoencoder to analyze the potentially malicious program. Various other methods, systems, and computer-readable media are also disclosed.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A computer-implemented method for detecting malware, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
identifying a plurality of programs represented in machine code;
deriving a plurality of opcode n-grams from opcode sequences within the plurality of programs, each opcode n-gram within the plurality of opcode n-grams representing a sequence of opcodes extracted from a program within the plurality of programs;
training an autoencoder by using the plurality of opcode n-grams as input;
discovering a set of features within the autoencoder after training the autoencoder, each feature within the set of features comprising a linear combination of opcode n-grams from the plurality of opcode n-grams; and
classifying a potentially malicious program as malicious by using the set of features discovered within the autoencoder to analyze the potentially malicious program by:
initializing a neural network with the set of features discovered within the autoencoder;
training the neural network with supervision using a training set labeled to indicate whether each sample within the training set is malicious; and
classifying the potentially malicious program using the trained neural network.
2. The computer-implemented method of claim 1 , further comprising performing a security action on the potentially malicious program based on classifying the potentially malicious program as malicious.
3. The computer-implemented method of claim 1 , wherein using the set of features discovered within the autoencoder to analyze the potentially malicious program comprises:
extracting the set of features discovered within the autoencoder from the potentially malicious program; and
providing the extracted set of features as input to a machine learning classifier previously trained according to the set of features discovered within the autoencoder.
4. The computer-implemented method of claim 1 , wherein the plurality of opcode n-grams comprises machine code opcodes and not mnemonic-based instructions.
5. The computer-implemented method of claim 1 , wherein the plurality of opcode n-grams comprises opcodes without accompanying operands.
6. The computer-implemented method of claim 1 , deriving the plurality of opcode n-grams from the plurality of programs comprises excluding a subset of opcodes from the plurality of opcode n-grams.
7. The computer-implemented method of claim 1 , wherein deriving the plurality of opcode n-grams from the plurality of programs comprises extracting a plurality of opcodes from a program within the plurality of programs without mapping the opcode to a mnemonic instruction.
8. A system for detecting malware, the system comprising:
an identification module, stored in memory, that identifies a plurality of programs represented in machine code;
a derivation module, stored in memory, that derives a plurality of opcode n-grams from opcode sequences within the plurality of programs, each opcode n-gram within the plurality of opcode n-grams representing a sequence of opcodes extracted from a program within the plurality of programs;
a training module, stored in memory, that trains an autoencoder by using the plurality of opcode n-grams as input;
a discovery module, stored in memory, that discovers a set of features within the autoencoder after training the autoencoder, each feature within the set of features comprising a linear combination of opcode n-grams from the plurality of opcode n-grams;
a classification module, stored in memory, that classifies a potentially malicious program as malicious by using the set of features discovered within the autoencoder to analyze the potentially malicious program by:
initializing a neural network with the set of features discovered within the autoencoder;
training the neural network with supervision using a training set labeled to indicate whether each sample within the training set is malicious; and
classifying the potentially malicious program using the trained neural network; and
at least one physical processor configured to execute the identification module, the derivation module, the training module, the discovery module, and the classification module.
9. The system of claim 8 , wherein the classification module further performs a security action on the potentially malicious program based on classifying the potentially malicious program as malicious.
10. The system of claim 8 , wherein the classification module uses the set of features discovered within the autoencoder to analyze the potentially malicious program by:
extracting the set of features discovered within the autoencoder from the potentially malicious program;
providing the extracted set of features as input to a machine learning classifier previously trained according to the set of features discovered within the autoencoder.
11. The system of claim 8 , wherein the plurality of opcode n-grams comprises machine code opcodes and not mnemonic-based instructions.
12. The system of claim 8 , wherein the plurality of opcode n-grams comprises opcodes without accompanying operands.
13. The system of claim 8 , wherein the derivation module derives the plurality of opcode n-grams from the plurality of programs by excluding a subset of opcodes from the plurality of opcode n-grams.
14. The system of claim 8 , wherein the derivation module derives the plurality of opcode n-grams from the plurality of programs by extracting a plurality of opcodes from a program within the plurality of programs without mapping the opcode to a mnemonic instruction.
15. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
identify a plurality of programs represented in machine code;
derive a plurality of opcode n-grams from opcode sequences within the plurality of programs, each opcode n-gram within the plurality of opcode n-grams representing a sequence of opcodes extracted from a program within the plurality of programs;
train an autoencoder by using the plurality of opcode n-grams as input;
discover a set of features within the autoencoder after training the autoencoder, each feature within the set of features comprising a linear combination of opcode n-grams from the plurality of opcode n-grams; and
classify a potentially malicious program as malicious by using the set of features discovered within the autoencoder to analyze the potentially malicious program by:
initializing a neural network with the set of features discovered within the autoencoder;
training the neural network with supervision using a training set labeled to indicate whether each sample within the training set is malicious; and
classifying the potentially malicious program using the trained neural network.
16. The non-transitory computer-readable medium of claim 15 , wherein the one or more computer-readable instructions further cause the computing device to perform a security action on the potentially malicious program based on classifying the potentially malicious program as malicious.
17. The non-transitory computer-readable medium of claim 15 , wherein the one or more computer-readable instructions cause the computing device to use the set of features discovered within the autoencoder to analyze the potentially malicious program by causing the computing device to:
extract the set of features discovered within the autoencoder from the potentially malicious program; and
provide the extracted set of features as input to a machine learning classifier previously trained according to the set of features discovered within the autoencoder.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.